Malicious web redirect scripts stealth up to hide on hacked sites

Security researchers looking at more than 10,000 scripts used by the Parrot traffic direction system noticed an evolution marked by optimizations that make malicious code stealthier against security mechanisms.
Parrot TDS was discovered by cybersecurity company Avast in April 2022 and it is believed to have been active since 2019, part of a campaign that targets vulnerable WordPress and Joomla sites with JavaScript code that redirects users to a malicious location.
When Avast researchers analyzed it, Parrot had infected at least 16,500 websites, indicating a massive operation.
The operators behind Parrot sell the traffic to threat actors, who use it on users visiting infected sites for profiling and redirecting relevant targets to malicious destinations such as phishing pages or locations that deliver malware.
A recent report from Palo Alto Networks' Unit 42 team presents findings indicating that the Parrot TDS is still very active and its operators continue to work on making their JavaScript injections harder to detect and remove.
Unit 42 analyzed 10,000 Parrot landing scripts from collected between August 2019 and October 2023.
The researchers found four distinct versions that show a progression in the use of obfuscation techniques.
Parrot's landing scripts help with user profiling and force the victim's browser to fetch a payload script from the attacker's server, which carries out the redirection.
According to the researchers, the scripts used in the Parrot TDS campaigns are identified by specific keywords in the code, including 'ndsj,' 'ndsw,' and 'ndsx.
Unit 42 noticed that most infections in the examined sample have moved to the most recent version of the landing script, accounting for 75% of the total, with 18% using the previous version, and the remaining running older scripts.
Enhanced obfuscation with complex code structure and encoding mechanisms.
Despite the additional layers of obfuscation and the changes in code structure, the core functionality of the V4 landing script remains consistent with the previous versions.
It still serves its primary purpose of profiling the victim's environment and initiating the retrieval of the payload script if the conditions are met.
Regarding payload scripts, which are responsible for performing the user redirections, Unit 42 found nine variants.
These are mostly identical, apart from minor obfuscation and target OS checks performed by some.
In 70% of the observed cases, the threat actors use payload script version 2, which doesn't feature any obfuscation.
Obfuscation layers were added in versions 4-5 and became even more intricate in versions 6 through 9.
These versions have rarely been seen in compromised sites.
Overall, Parrot TDS remains an active and evolving threat that gradually becomes more evasive.
Website owners are advised to search their servers for rogue php files, scan the ndsj, ndsw, and ndsx keywords, use firewalls to block webshell traffic, and URL filtering tools to block known malicious URLs and IPs.


This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 22 Jan 2024 20:15:21 +0000


Cyber News related to Malicious web redirect scripts stealth up to hide on hacked sites

US SEC's X account hacked to announce fake Bitcoin ETF approval - The X account for the U.S. Securities and Exchange Commission was hacked today to issue a fake announcement on the approval of Bitcoin ETFs on security exchanges. The announcement came this afternoon in a now-deleted tweet from the SEC's hacked X ...
11 months ago Bleepingcomputer.com
4500+ WordPress Sites Hacked with a Monero Cryptojacking Campaign - Security researchers recently reported the discovery of a massive Monero hacking campaign targeted at WordPress sites. According to reports, more than 4500 WordPress sites were compromised with a malicious cryptocurrency-mining campaign. The hackers ...
1 year ago Thehackernews.com
Malicious web redirect scripts stealth up to hide on hacked sites - Security researchers looking at more than 10,000 scripts used by the Parrot traffic direction system noticed an evolution marked by optimizations that make malicious code stealthier against security mechanisms. Parrot TDS was discovered by ...
11 months ago Bleepingcomputer.com
Mandiant's X account hacked by crypto Drainer-as-a-Service gang - The threat actor who took over Mandiant's X social media account used it to share links, redirecting the company's over 123,000 followers to a phishing page to steal cryptocurrency. As Mandiant found during a follow-up investigation into the ...
11 months ago Bleepingcomputer.com
The Fake Browser Update Scam Gets a Makeover - One of the oldest malware tricks in the book - hacked websites claiming visitors need to update their Web browser before they can view any content - has roared back to life in the past few months. New research shows the attackers behind one such ...
1 year ago Krebsonsecurity.com
Fake IT support sites push malicious PowerShell scripts as Windows fixes - First discovered by eSentire's Threat Response Unit, the fake support sites are promoted through YouTube channels that have been compromised and hijacked to add legitimacy to the content creator. In particular, the threat actors are creating fake ...
5 months ago Bleepingcomputer.com
SEC confirms X account was hacked in SIM swapping attack - The U.S. Securities and Exchange Commission confirmed today that its X account was hacked through a SIM-swapping attack on the cell phone number associated with the account. Earlier this month, the SEC's X account was hacked to issue a fake ...
11 months ago Bleepingcomputer.com
What is SEO Poisoning Attack? - Search engine optimization (SEO) poisoning is a type of cyber attack that infiltrates search results. It consists of malicious search engine results created by an attacker attempting to redirect someone to malicious or vulnerable webpages. It is a ...
1 year ago Heimdalsecurity.com
75K+ WordPress Sites Impacted by Critical Plugin Flaws - A large-scale breach has impacted more than 75,000 WordPress sites that are running an online course plugin. According to security researchers, the plugin has three critical vulnerabilities that could expose customer data and be used to take over ...
1 year ago Bleepingcomputer.com
Watch out for "I can't believe he is gone" Facebook phishing posts - This phishing attack is ongoing and widely spread on Facebook through friend's hacked accounts, as the threat actors build a massive army of stolen accounts for use in further scams on the social media platform. As the posts come from your friends' ...
11 months ago Bleepingcomputer.com
SIEM agent being used in SilentCryptoMiner attacks | Securelist - The most interesting action in this attack was the implementation of unusual techniques like using an SIEM agent as backdoor, adding the malicious payload to a legitimate digital signature, and hiding directories containing malicious files. The ...
2 months ago Securelist.com
Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware - Hackers are breaching WordPress sites by exploiting a vulnerability in outdated versions of the Popup Builder plugin, infecting over 3,300 websites with malicious code. The flaw leveraged in the attacks is tracked as CVE-2023-6000, a cross-site ...
9 months ago Bleepingcomputer.com
CVE-2024-50002 - In the Linux kernel, the following vulnerability has been resolved: static_call: Handle module init failure correctly in static_call_del_module() Module insertion invokes static_call_add_module() to initialize the static calls in a module. ...
2 months ago Tenable.com
Netgear, Hyundai latest X accounts hacked to push crypto drainers - The official Netgear and Hyundai MEA Twitter/X accounts are the latest hijacked to push scams designed to infect potential victims with cryptocurrency wallet drainer malware. While Hyundai has already regained access to their account and has cleaned ...
11 months ago Bleepingcomputer.com
Web3 security firm CertiK's X account hacked to push crypto drainer - The Twitter/X account of blockchain security firm CertiK was hijacked today to redirect the company's more than 343,000 followers to a malicious website pushing a cryptocurrency wallet drainer. Crypto fraud sleuth ZachXBT later leaked screenshots of ...
11 months ago Bleepingcomputer.com
Number of hacked Cisco IOS XE devices plummets from 50K to hundreds - The number of Cisco IOS XE devices hacked with a malicious backdoor implant has mysteriously plummeted from over 50,000 impacted devices to only a few hundred, with researchers unsure what is causing the sharp decline. This week, Cisco warned that ...
1 year ago Bleepingcomputer.com
Exploit released for critical Cisco IOS XE flaw, many hosts still hacked - Public exploit code is now available for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198 that was leveraged as a zero-day to hack tens of thousands of devices. Cisco released patches for most releases of its IOS XE software but ...
1 year ago Bleepingcomputer.com
Flaws in Delta OT Monitoring Product Can Allow Hackers to Hide Destructive Activities - Critical vulnerabilities in a Delta Electronics operational technology monitoring product can allow hackers to hide destructive activities from the targeted organization's employees. The affected product is Delta's InfraSuite Device Master and the ...
1 year ago Securityweek.com
In Landmark Battle Over Free Speech, EFF Urges Supreme Court to Strike Down Texas and Florida Laws that Let States Dictate What Speech Social Media Sites Must Publish - WASHINGTON D.C.-The Electronic Frontier Foundation and five organizations defending free speech urged the Supreme Court to strike down laws in Florida and Texas that let the states dictate certain speech social media sites must carry, violating the ...
1 year ago Eff.org
Hackers push USB malware payloads via news, media hosting sites - A financially motivated threat actor using USB devices for initial infection has been found abusing legitimate online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded payloads embedded in seemingly benign content. The attackers ...
10 months ago Bleepingcomputer.com
Volt Typhoon-Linked SOHO Botnet Infects Multiple US Gov't Entities - Researchers have discovered an Internet of Things botnet linked with attacks against multiple US government and communications organizations. It comes built with a series of stealth mechanisms and the ability to spread further into local area ...
1 year ago Darkreading.com
C/side Emerges From Stealth Mode With $1.7 Million Investment - C/side, a startup focusing on securing the browser supply chain, on Thursday emerged from stealth mode with $1.7 million raised in a pre-seed funding round led by Scribble Ventures, with additional investment from several angel investors. The ...
7 months ago Securityweek.com
Google Ads Invite Being Abused to Push Spam & Adult Sites - Google Ads has become another way for malicious actors to spread spam and adult sites. Recent reports have highlighted that fraudsters are abusing Google Ads invites to push their malicious content. Google Ads is Google's advertising platform, and ...
1 year ago Bleepingcomputer.com
New Balada Injector campaign infects 6,700 WordPress sites - A little over 6,700 WordPress websites using a vulnerable version of the Popup Builder plugin have been infected with the Balada Injector malware in a campaign that launched in mid-December. Initially documented by researchers at Dr. Web who observed ...
11 months ago Bleepingcomputer.com
Quishing Campaign Exploits Microsoft Open Redirect Vulnerability - Diving into a new sophisticated campaign, exploiting Microsoft's Open Redirect vulnerability through quishing. QR codes can be found almost everywhere, helping people access useful information and other webpages as fast as they can open their ...
7 months ago Cyberdefensemagazine.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)